McKinsey&Company 


Expect the unexpected: 
Reduce corporate 
exposure and create value 
through supply chain risk 
management 


Katy George, Venu Nagali, Louis Rassey 


Supply chain problems have significantly impacted 
pharmaceutical and medical products manufacturers recently, 
leading to billions of dollars in lost market cap, recalls, regulatory 
settlements, and other costs. However, most companies 
in the sector still do not have a systematic approach for 
assessing and managing such threats. We have developed a 
five-part framework to identify and mitigate supply chain risks 
in a proactive way. By following the elements in this strategic 
approach, pharmaceutical and medical products manufacturers 
can substantially reduce or eliminate supply chain problems due 
to unforeseen events. As a result, these companies can gain an 
edge over competitors, with more stable production capacity 
and better financial performance. 


Supply chain risks to companies in the pharmaceutical and medical 
products sector have risen steadily in recent years, driven by a range 
of factors. Increased offshoring and outsourcing, along with more 
sophisticated production technology, have made supply chains in the 
sector far more complex, leading to a greater potential for disruptive 


events. Regulatory compliance changes have also played a role, as has 
convergence between pharma companies and makers of medical products. 
At the same time, competitive and pricing pressures have reduced the margin 
of error for production problems. Pharmaceutical and medical products 
manufacturers face greater capital intensity and cost pressures, leading to 
lower inventories and a reduction in dual sourcing. As a result, they are less 
prepared today to mitigate supply chain risks. 


Such risks manifest themselves in several ways. At a minimum, component 
and product costs can spike during supply-demand imbalances, destabilizing 
business plans and overall financial performance. More substantial, however, 
are outright shortfalls in components or production materials, which can limit 
production and create a significant impact on public health. Recent reports 
indicate a current shortage of some cancer drugs, especially for certain low- 
margin generic versions, forcing doctors to delay or ration treatment’. The 
FDA lists a range of supply chain risk issues that are currently causing drug 
shortages, including greater-than-expected demand, manufacturing delays, 
commodity shortages, and supply issues, among others. 


Quality and compliance issues are an additional source of risk, potentially 
triggering recalls or adverse regulatory actions. While these events have 
obvious public-health ramifications, they can also result in large share-price 
declines for companies in the sector. A recent McKinsey study of medical 
products companies determined that supply chain risk events are the second- 
largest contributors of large monthly declines in share price, resulting in drops 
of 10 percent or more when compared to the S&P 500 over the same time 
period (Exhibit 1). These incidents can put substantial shareholder value at 
risk. In the United States, product recalls alone cost shareholders more than 
$25 billion a year in market cap, assuming $2 million in costs per recall; about 
1,100 recalls a year; and a stock multiple of 12 times earnings. 


The past year has seen several such incidents. Boston Scientific was forced 
to recall implantable defibrillators, causing its shares to fall 13 percent 
overnight. The company expects to lose $5 million every day that the devices 
are off the market’. GlaxoSmithKline PLC agreed to pay $750 million for 
quality issues*. And Johnson & Johnson recently experienced a series of 
product recalls caused by several manufacturing and supply chain events that 
resulted in a loss of more than $900 million in annual revenue, not counting 
losses of goodwill and market share®. This is not the first such experience for 
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the company. In 2003 and 2004, Johnson & Johnson experienced higher- 
than-expected demand for a new drug-eluting stent, which—coupled with 
supply shortages due to manufacturing and quality issues as well as lower 
inventories—resulted in lost sales and loss of market share®. 


Although most companies in the sector have risk management programs 

in place, they are typically siloed and functionally based. For example, 
companies may have business continuity management (BCM) programs 

for individual manufacturing sites that focus on recovering from disruptive 
events, measures within the procurement organization to mitigate sourcing 
risks from suppliers, or compliance and audit management initiatives in the 
quality organization. Yet, there is little if any coordination among these efforts. 
Furthermore, most BCM plans typically specify similar time-to-recover goals 
for manufacturing sites without explicitly considering the relative importance 
of the products being produced or the likelihood of bad events, and they often 
fail to include proactive steps to mitigate the risks from such events. 


In this context, there is a clear need for healthcare companies to implement 
comprehensive and rigorous supply chain risk-management programs, in 
order to manage increasing risks in a cost-effective way. While such practices 
are still relatively uncommon in the sector, companies can adopt best 
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practices from other industries that have implemented a more comprehensive 
and forward-looking approach, such as those in the high-tech, automotive, 
apparel, and consumer product goods (CPG) verticals. 


Accordingly, we believe that: 


= Companies in the healthcare sector can systematically identify risk at 
all steps in the end-to-end supply chain, and rigorously quantify their 
exposure by considering: the likelinood of a particular source of risk; the 
business impact from that risk; and the preparedness to mitigate it. 


Æ Risk mitigation and preparedness strategies should be differentiated based 
on the relative importance of different products and sites. 


= Risk management must go beyond the traditional scope of business 
continuity management—that is, preparing for recovery after bad events— 
to more proactively reduce the likelihood and negative consequences of 
such events. 


E Companies should explicitly account for risk when making strategic 
decisions. 


m While healthcare companies must still implement quality and compliance 
management systems, a risk-informed approach can enhance the 
effectiveness of those systems. This approach can reduce both the risk of 
conventional quality and compliance issues, and—if those risks develop 
into full-fledged recalls and regulatory actions—the impact of those events 
on the company’s operations. 


E |n addition to the focus on negative risk, companies must consider and 
plan for the upside opportunities of supply chain uncertainties, such as 
greater-than-expected demand for vaccines, opportunities stemming 
from supply disruptions that impact a competitor, and new product 
introductions that ramp faster than forecasts. 


Our framework for supply chain risk leadership 


We have developed a proprietary, end-to-end supply chain risk-management 
process and tool kit tailored to healthcare companies, in order to identify 
and proactively mitigate potential risks and deliver incremental value. This 
represents a substantial upgrade to the current risk-management practices 
at most companies in the sector, which are largely ad hoc and lack a 
comprehensive approach to implementation. 


Our framework consists of five components (Exhibit 2). 
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1. Identify and evaluate risks across the end-to-end 
supply chain 


The ability to identify and evaluate exposure from sources of risk from 

their supply chains made a big difference to the fortunes of Nokia and 

its competitors. In March 2000, a fire broke out at a Philips plant in New 
Mexico—a supplier of semiconductor chips to cell-phone manufacturers 
including Nokia— forcing the plant to remain shut down for several months. 
The difference in outcomes for the customers of the New Mexico plant was 
dramatic— Nokia came out of the disruption stronger and gained market 
share, while some of its leading competitors were significantly weakened and 
lost market share’. 


This difference was primarily due to Nokia’s comprehensive supply chain 
risk-management program, which helped the company immediately—and 
accurately—estimate the impact of the shutdown on its business, and then 
react accordingly. Nokia switched orders to other Philips plants and to its 
Japanese and American suppliers, and redesigned chips to reduce its reliance 
on Philips products. 
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Like Nokia, Cisco Systems also has an effective system to identify and 
evaluate sources of risk throughout its end-to-end supply chain®. The 
company maps all manufacturing partners, component suppliers, and logistics 
providers as nodes. It can then identify and evaluate sources of risk from 

each node, which it displays on a central crisis-management dashboard. In 
addition, Cisco uses a subscription-based service to obtain near real-time 
alerts about events that could affect the flow of goods from, to, and between 
suppliers. And it updates the resiliency of critical suppliers every six months 
through worst-case-scenario evaluations. 


Nokia and Cisco offer object lessons for pharmaceutical and medical device 
companies that should adopt a multidimensional approach to understand the 
risks at all stages of the supply chain. To begin, the company should identify 
individual risks for each product, function, and site (Exhibit 3). Each source of 
risk must be evaluated based on its impact on the company’s ability to meet 
its objectives—the “objectives-at-risk” approach. Specifically, those objectives 
include serving customer demand, obtaining supply, achieving cost targets, 
and complying with regulations. 
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In addition, for each of its top products, the company should systematically 
identify and then assess sources of risks for all functions along the end-to-end 
supply chain—from new product introduction (NPI) and commercialization to 
planning, procurement, manufacturing, and distribution. 


To evaluate the exposure from each source of risk, management must use a 
standard evaluation approach that considers: the likelihood of occurrence for 
that risk; the impact it would generate on one or more supply chain objectives 
if it were to materialize; and the current level of preparedness in place to 
reduce the impact. Using quantitative leading indicators and trends of key 
performance indicators (KPIs) helps to determine the likelihood of individual 
sources of risk. A standard evaluation approach will enable management to 
make an apples-to-apples comparison of risks across products, functions, 
and sites, in order to identify the most immediate potential disruptions facing 
the company. 


In the healthcare sector, this kind of quantitative approach is notably rare, a 
problem that is compounded by a comparatively wide range of supply chain 
risks, Some unique to the sector. These include quality and compliance risks, 
patient safety, environmental health and safety, capacity at several stages of 
production, and the cost and supply of raw materials. 


2. Define clear risk appetite across the enterprise and by 
product type 


The appetite for risk will vary dramatically from one company to another, and 
even from one product to another within a company’s offerings. For example, 
a company may have a substantially lower risk appetite for products that 

can adversely impact public health. That said, given the complexity of many 
companies’ portfolios, management should specify risk appetite not by 
individual products but rather by product groupings. These groupings can 
be based on individual importance of products to one or more enterprise 
objectives, such as financials, public health, reputation, and brand name. 


For example, a major healthcare company recently defined its risk appetite 

by categorizing the entire product portfolio into three types, with specific 
exposure thresholds for each. The company also categorized its production 
facilities into segments based on the type of products they manufactured. The 
site segmentation enabled the company to prioritize investments, properly 
allocate management attention among multiple facilities, more accurately 
determine the frequency and duration of quality audits, and better assess its 
overall business continuity preparedness. 


The next step for each company should be to define risk appetite by setting 
exposure thresholds for each product type. These exposure thresholds can be 
pegged to supply chain metrics such as meeting demand (fill rate or service 
level), cost savings targets, or quality and compliance levels by product 

type (Exhibit 4). Defining risk exposure will enable managers throughout the 
organization to make quantitative and consistent decisions when faced with 
tradeoffs between risk levels and investment. 
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3. Use a risk-informed approach to making strategic 
decisions 


Every strategic supply chain decision involves an element of managing 
uncertainty and risk. Companies that strive to optimize their production 
network must assess a range of factors, including labor, currency, material 
and logistical cost risks, disaster-related disruptions and supply shortages, 
and demand variability risks. 


A CPG company, for instance, recently confronted these issues. The company 
was seeking to better manage significant demand risks in its main U.S. 
market, along with cost and supply risks at its foreign manufacturing sites due 
to uncertainties in labor, currency, materials, and natural disasters. To that 


point, the company had two manufacturing sites in a low-cost country (LCC), 
however those sites served only local and regional markets. The company 
optimized its manufacturing network to address these risks by investing in new 
capacity at one of the LCC facilities. This provided a dual production source, 
which not only mitigated downside risks from events such as natural disasters 
but also offered additional capacity to address upside opportunities in the 
United States. The company tested the idea with highly volatile products that 
required minimum investment (e.g., overtime). By adopting a long-term view 
to investing in capacity in this manner, the company reduced its exposure 

to external events while also generating a 16 percent improvement in risk- 
adjusted cost. 


Similarly, a large pharmaceutical company faced risks in a high-margin 
segment of its business, due to supply threats such as shortages and 
disasters, and more significantly due to variable demand. To address these 
challenges, it needed to establish a flexible production capacity. The company 
conducted a comprehensive analysis to quantify all major risks and determine 
the scope of potential upside revenue opportunities. By strategically optimizing 
its flexible capacity, the company recognized an additional $2.5 billion in sales 
over five years, an increase of 17 percent. Vaccine manufacturers face related 
capacity-planning challenges, given significant uncertainty in demand and the 
long lead times associated with production. 


We recommend using a risk-informed approach to make strategic supply 
chain decisions, including network optimization, manufacturing footprint, 
supplier contracts, and inventory policies. This raises the degree of difficulty 
of such decisions, in that it adds an additional entering argument. Yet, we 
find that when explicitly accounting for risk, certain supply chain decisions— 
such as the level of inventory and dual sourcing, and the size of back-up 
manufacturing facilities, among others—can be vastly different from those 
determined by traditional practices, as shown in the examples above. This is 
particularly true in the healthcare sector, where rigorous supply chain risk- 
management programs are still relatively rare. Only by adopting a risk-informed 
approach will management be able to make more robust decisions that can 
withstand the inherent uncertainties of the future. 


Finally, while companies most commonly seek to reduce their exposure to risk 
by determining the optimal set of mitigating actions, this is not universally true. 
In some cases, a company may find itself able to tolerate greater exposure 

for certain products, processes, and facilities. In this way, a rigorous risk- 
based approach not only can mitigate threats but also can unlock incremental 
value by freeing up resources of time and attention that had been devoted to 
keeping certain risks unnecessarily low. 
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4. Establish robust governance by embedding risk 
management into core processes 


Risk management, by its very nature, is a cross-functional activity, as different 
functions within the supply chain can only identify and manage the sources of 
risks within their own realm. Because of that interconnectedness, establishing 
a cross-functional risk-management process is critical to success. This 
process must explicitly define the roles and responsibilities of the different 
supply chain functions, with clear lines of demarcation. In addition, the 
company must periodically reassess risks to ensure that its mitigation 
strategies remain appropriate to the changing dynamics of the market. 


Given the scope and complexity of most companies in the sector, managing 
the sheer volume of information from this process becomes a challenge. A set 
of customized risk reports and dashboards can help. One major healthcare 
company is currently implementing a series of dashboards that can be 
customized to specific levels within the management structure. For example, 
the company compiles all of the top risks for a particular product and displays 
them on a single dashboard for that product’s manager, while information for 
multiple products, functions, and/or sites can be displayed on a sector-level 
dashboard for risk officers and other senior leaders. 


5. Create a risk culture in the organization 


Our surveys of employees at several healthcare companies indicate that risk 
culture is an area with substantial room for improvement. At some companies, 
managers seem to reward firefighting more than the proactive steps taken 

to reduce risks. Other companies tend to punish dissent in the ranks, or fail 

to accommodate innovative, ground-level suggestions that are intended to 
improve results. 


Developing the right culture is the key element of managing risk in any 
organization. Management should foster an open environment in which 
individuals feel empowered to discuss risks and potential disruptions, and 
even challenge line managers on specific decisions where appropriate. 
Individuals should be able to discuss bad news with the same candor as when 
discussing good news. And workers within the different supply chain functions 
should share actions and best practices across the boundaries of the supply 
chain. For example, an employee in manufacturing should be aware of, and 

be able to leverage, a mitigation action that has worked well in procurement. 
Establishing this culture requires a high degree of communication, in which 
management establishes the right set of incentives for individuals to respect 
rules and procedures and to work for the greater good of the organization. 
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Given that backdrop, we recommend a detailed assessment of a company’s 
risk culture to identify gaps and address cultural issues head-on. 


Getting started 


Senior executives of healthcare companies can get started by asking the 
supply chain organization to identify the greatest sources of risk to the 
enterprise. This information should come through specific deliverables such as 
a heat map to describe the concentration of top risk sources across various 
supply chain functions, or an analysis of strategic investments that includes 
both conventional metrics such as expected net present value (NPV) and 
return on invested capital (ROIC), along with risk-adjusted measures such as 
standard deviation or worst-case NPV and ROIC. 


This information will help catalyze a set of initial activities that ideally comprise 
the first steps of this framework. Companies should categorize all products 
into a few types and then define the risk appetite for each one, leading to 

an assessment of supply chain risks for the top products to determine the 
greatest sources of risk and the specific mitigation actions for each type. 
With this as a foundation, risk organizations can progressively become more 
sophisticated in the implementation of supply chain risk management. 


In conclusion, implementing a holistic and comprehensive supply chain 
risk-management program can deliver a wide range of benefits, enabling 
companies to: understand the likelinood of certain risks, proactively and 
cost-efficiently mitigate those risks, and obtain incremental value by making 
risk-informed strategic supply chain decisions. However, management must 
understand that risk management is not a one-time activity. To deliver on this 
wide range of benefits, risk management must become an integral part of how 
the company operates. 
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com) is a principal in the Chicago office. Copyright © 2012 McKinsey & 
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Case study: Hewlett-Packard 


Hewlett-Packard Company has been imple- 
menting a comprehensive supply chain risk- 
management program since 2001, which has 
been written about extensively in industry 
and academic journals',?, primarily because 
the results have been so notable. Like most 
high-tech companies, HP faces a host of chal- 
lenges. Short product life cycles in the sector 
create significant demand risks. Volatile com- 
ponent prices bring cost risks. And periodic 
mismatches in supply and demand for the 
industry—along with supply chain disruptions 
and quality issues—trigger component supply 
risks. To address these supply chain risks, HP 
developed and implemented a comprehen- 
sive supply chain risk-management program, 
which aligns well with portions of the five-part 
framework described above. 


Supply chain uncertainties and risks 
linked to key objectives 


HP has implemented the “objectives-at-risk” 
approach, which considers the risks to key 
supply chain objectives that the company 
considers most important: supply assurance, 
cost savings, and cost predictability. These 
three objectives are impacted by a range of 
variables, including component/product de- 
mand, component cost, and supply uncer- 
tainties, which HP quantifies using proba- 
bilistic scenarios. In evaluating demand, for 
example, the company uses the 10th, 50th, 
and 90th percentiles of the discrete demand 
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distribution to represent the low, base, and 
high scenarios of demand for HP products at 
any point in time. 


Defining risk appetite and ownership us- 
ing the probabilistic scenario approach 


The probabilistic scenario approach lends it- 
self nicely to the subsequent challenge of de- 
fining risk appetite. Taking demand analysis 
a step further, the 10th percentile (the “low” 
scenario) by definition implies that there is only 
a 10 percent likelihood of the actual demand 
being less than forecast. This defines the 
range of demand uncertainty that HP is will- 
ing to accept. That is, HP commits to buying 
that range of demand using a fixed quantity 
contract with suppliers. For the range of de- 
mand near the 50th percentile, where the un- 
certainty is higher, HP transfers that risk to the 
supplier using a flexible quantity contract. The 
supplier takes on this uncertainty because it 
may be cheaper for the supplier to manage 
across all of its customers. 


Risk-informed strategies and decisions 


Once HP has quantified the uncertainties im- 
pacting its supply chain objectives, it can then 
leverage pricing terms pegged to specific 
business objectives. For example, if the busi- 
ness objective is cost savings, HP uses a dis- 
counted pricing term. If the business objective 
is cost predictability, it uses either a fixed- 
price or price-cap pricing term. HP repeats 
this process for all of its products, and effec- 
tively winds up with a portfolio of structured 
contracts that are specifically tailored to maxi- 
mize business objectives and manage risk 
due to demand, cost, and supply uncertainty. 


In the aggregate, HP’s supply chain risk-man- 
agement program delivered incremental value 
in excess of $500 million during its first six 
years, across four key categories: (1) material 
cost savings of over $425 million, as the risk- 
informed contracts enabled suppliers to lower 
their costs and risks of doing business with 
HP; (2) increased supply assurance for key 
components, particularly during market short- 
ages, delivering an estimated $50 million in 
additional margin; (3) improved cost predict- 
ability of components that have volatile costs, 
saving HP an additional $50 million; and (4) 
lowered inventory costs by several percentage 
points as HP optimized inventory levels inter- 
nally and at suppliers. 


Of course, these results are not reproduc- 
ible in all companies and across all sectors. 
Among other elements, HP took the gover- 
nance element of risk management extremely 
seriously, implementing a rigorous business 
process that linked and defined the respon- 
sibilities of all elements of the supply chain— 
from procurement and planning to supply 
chain operations, finance, and marketing. 
However, this example shows what is possible 
through a comprehensive and integrated ap- 
proach to supply chain risk management. 


